Google relents—adds system password prompt before displaying web passwords

Nov 05, 2013 by Bob Yirka weblog

(Phys.org) —This past summer it was widely reported that Google Chrome had a web security flaw—all of the passwords that were saved for various web sites could be displayed by anyone gaining physical access to a computer, by typing in a simple command. That prompted a lot of people to criticize Google for its lackadaisical approach to web security for its user community. Google defended itself by noting that if someone gained physical access to someone else's computer and were able to use their Chrome browser, they would be able to access all of the web sites that the original owner had saved anyway (because the login and passwords would be filled in automatically), regardless of whether they could see the passwords, which were stored on the local hard drive in plain text.

Now it appears that Google has had a change of heart, at least as it applies to Mac users—Chromium developer François Beaufort has announced on his Google+ page that Google has implemented a "fix" for the problem for users of the Chromium Build for Mac. Now, if a sneaky person gains physical access to someone else's computer and tries to get the browser to show all of the saved , they will be prompted to first type in the Mac OS password. Of course, that still won't stop them from visiting and logging in automatically (because the passwords have still been saved after all) to whatever web sites they find in the list of favorites, their history, etc.

It's not clear why Google had a change of heart, or if the change will be made to Google Chrome (Windows) or if it will, how long that might take. Last summer, company reps said making such a change to Chrome would give users a false sense of security. They suggested that users lock their computer when away from the keyboard to give themselves a true security system.

It's clear that forcing users to type in a system password will prevent miscreants from quickly printing out a list of logins/passwords—whether it will also lull them into a false of remains to be seen—at least for Mac users.

Explore further: PIN customers can avoid heat of thief's phone attachment

Related Stories

Google vision of password rings heard at security event

Mar 13, 2013

(Phys.org) —Google finds much appeal in gaining the distinction of leading the way toward a future where USB sticks and rings can replace traditional passwords. The idea of killing off passwords has been ...

Recommended for you

PIN customers can avoid heat of thief's phone attachment

6 hours ago

Engineer Mark Rober has some words of advice in guarding the safety of your PIN. His advice comes in the form of a video where he demonstrates that a thief can steal a PIN by using a thermal imaging attachment ...

Protecting privacy also means preserving democracy

11 hours ago

What impact does the proliferation of new mobile technologies have? How does the sharing of personal data over the Internet threaten our society? Interview with Professor Jean-Pierre Hubaux, a specialist ...

US cyber-warriors battling Islamic State on Twitter

Aug 31, 2014

The United States has launched a social media offensive against the Islamic State and Al-Qaeda, setting out to win the war of ideas by ridiculing the militants with a mixture of blunt language and sarcasm.

What metadata does the government want about you?

Aug 28, 2014

With the leaking of a discussion paper on telecommunications data retention, we are at last starting to get some clarity as to just what metadata the Abbott government is likely to ask telecommunications ...

User comments : 3

Adjust slider to filter visible comments by rank

Display comments: newest first

evropej
1 / 5 (6) Nov 05, 2013
Logging into a site is one thing, getting the password to log in from any pc is another. This is what happens when you get so big and go from technology development to groogling the world with spam.
Zera
1 / 5 (6) Nov 05, 2013
check out lightbeam - google sits at the centre of just about every interaction you have with the "web"
Ducklet
1 / 5 (5) Nov 05, 2013
The password has to be available in plaintext anyway, at some point, or the browser won't be able to auto-fill it.